tl;dr: Test Kubernetes manifests for known production issues before deploying to production.
This repo contains Open Policy Agent policies for testing
Kubernetes manifests with conftest. The policies close the gap
between kubectl apply --dry-run --validate
or kubeval
, and the
Kubernetes API. These policies identify semantic validation issues
such as Deployment
selector not matching template labels and higher
level best practices.
$ git clone git@github.com:ahawkins/opa-kubernetes.git
$ conftest test -p opa-kubernetes/policy your_manifests/*.yml
$ conftest test -p opa-kubernetes/policy -n combined your_manifests/*.yml
Goals:
- Identify manifest that may be rejected by the Kubernetes API
- Identify functional issues in manifests not identified by existing tools
- Enforce best practices
Applies to: Deployment
, Job
, CronJob
- WRK-01: containers set resource requests and limits
- WRK-02:
volumeMount
matchesvolume
- WRK-03:
volumes
are mounted
- DPL-01: containers set liveness and readiness probes
- DPL-02: selector matches template labels
- DPL-03: liveness and readiness probes match container port
- JOB-01: explicit
backoffLimit
set
- SEC-01: base64 encoded secrets contain valid Base64 encoded keys
- HPA-01: Less minimum than maximum replicas
- CMB-01: container
envFrom
matches aConfigMap
orSecret
in the manifests - CMB-02: volume from matches
ConfigMap
orSecret
- CMB-03:
Service
selector matches aDeployment
- CMB-04:
HorizontalPodAutoscaler
scaling target matches aDeployment
- CMB-05: Service port matches container port
- CMB-06: HPA managed deployment does not set replicas
Applies to: Deployment
, Job
, CronJob
Add a new acceptance test in test/
for the rule. Tests take valid
data then modify them with yq
to break the rule. Tests assert that
the relevant conftest test
command exists non-zero and outputs the
rule number.
$ task test:acceptance